Way OT: SSH worries

Alex Neuman alex at nkpanama.com
Mon Aug 16 15:45:15 IST 2004 

I'm getting the following in mail logs (through logwatch) and it used to be
rare, then a few weeks ago it started happening a few times a week; now it
happens several times every day: someone's "jiggling the doorknob" on my
server. Anybody else seen something like this? Is it some kind of rootkit,
or trojan?

I think I'm going to have to add a rule to drop port 22 packets from
anywhere but a few locations if this continues.


Failed logins from these:
   admin/password from 203.195.183.10: 2 Time(s)
   admin/password from 210.15.112.41: 2 Time(s)
   admin/password from 64.114.43.77: 2 Time(s)
   guest/password from 203.195.183.10: 1 Time(s)
   guest/password from 210.15.112.41: 1 Time(s)
   guest/password from 220.117.203.9: 1 Time(s)
   guest/password from 61.221.196.181: 1 Time(s)
   guest/password from 64.114.43.77: 1 Time(s)
   root/password from 203.195.183.10: 3 Time(s)
   root/password from 210.15.112.41: 3 Time(s)
   root/password from 64.114.43.77: 3 Time(s)
   test/password from 203.195.183.10: 2 Time(s)
   test/password from 210.15.112.41: 2 Time(s)
   test/password from 220.117.203.9: 1 Time(s)
   test/password from 61.221.196.181: 1 Time(s)
   test/password from 64.114.43.77: 2 Time(s)
   user/password from 203.195.183.10: 1 Time(s)
   user/password from 210.15.112.41: 1 Time(s)
   user/password from 64.114.43.77: 1 Time(s)

Illegal users from these:
   guest/none from 203.195.183.10: 1 Time(s)
   guest/none from 210.15.112.41: 1 Time(s)
   guest/none from 220.117.203.9: 1 Time(s)
   guest/none from 61.221.196.181: 1 Time(s)
   guest/none from 64.114.43.77: 1 Time(s)
   guest/password from 203.195.183.10: 1 Time(s)
   guest/password from 210.15.112.41: 1 Time(s)
   guest/password from 220.117.203.9: 1 Time(s)
   guest/password from 61.221.196.181: 1 Time(s)
   guest/password from 64.114.43.77: 1 Time(s)
   test/none from 203.195.183.10: 2 Time(s)
   test/none from 210.15.112.41: 2 Time(s)
   test/none from 220.117.203.9: 1 Time(s)
   test/none from 61.221.196.181: 1 Time(s)
   test/none from 64.114.43.77: 2 Time(s)
   test/password from 203.195.183.10: 2 Time(s)
   test/password from 210.15.112.41: 2 Time(s)
   test/password from 220.117.203.9: 1 Time(s)
   test/password from 61.221.196.181: 1 Time(s)
   test/password from 64.114.43.77: 2 Time(s)
   user/none from 203.195.183.10: 1 Time(s)
   user/none from 210.15.112.41: 1 Time(s)
   user/none from 64.114.43.77: 1 Time(s)
   user/password from 203.195.183.10: 1 Time(s)
   user/password from 210.15.112.41: 1 Time(s)
   user/password from 64.114.43.77: 1 Time(s)

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list